← .:modules_reports | ^ .:start | Documentation ^ .:modules_rec | →
CRT module was designed to handle various certificate authority implementations via specific drivers. Currently, there is one driver implemented - the CAW driver that handles the communication with CAW certificate authority (bundled in the module).
Module consists of those basic parts:
Secret to any certificate can be downloaded by user with permissions CERTIFICATE_READ and CERTIFICATE_DOWNLOADSECRET. Secret is encrypted by RSA public key stored in configuration item idm.sec.crt.secret.pub, length is arbitrary (2048 and more is recomended). Secret key is stored in external app and is used to decrypt secret. Key pair can be generated by these commands (you can change 2048 to 4096, 8192…)
openssl genrsa -out private.key 2048 openssl rsa -in private.key -outform PEM -pubout -out public.key
Public key to be stored in IdM configuration is in file public.key, save it without lines starting with —– and joined to one line (without spaces), private key to be used by external app for decrypting secret is in file private.key.
URL for secret download is /api/v1/crt/certificates/{certificateId}/download-secret, where certificateId is UUID of certificate in IdM, response is JSON with this structure:
{ "certificate_id": "certificateId from URL", "secret": "Base64 encoded RSA encrypted certificate secret by public key in idm.sec.crt.secret.pub" }